IA 124: Introduction to IT

Security
Malware & Intrusion Detection

Instructor: Minja, Godbless (Assistant Lecturer)

1
 Malware
• The term malware came from two words:
– Malicious
– Software
• Simply put: Malware = Malicious software

• Definition:
– Malware is a program or software (a set of instructions)
that has harmful or malicious intentions to data,
information or computer system of an individual or
organization.

• Malware can damage or destroy data, information

or computer system.
 Malware
• Below are some types of malware:
– Virus
– Worm
– Trojan
– Spyware
– Adware
– Backdoor
– Ransomware
 Malware
• Virus
– Is a type of malware that attaches itself to another
program or file and performs malicious actions when
that program is opened.
• It depends on one to open a file or program containing the
virus for it (virus) to work.
• Worm
– Is a type of malware that maliciously reproduces itself
and spreads from computer to computer.
• It does not need a host file, host program or external action
for it (worm) to work.
 Malware
• Trojan
– Is a type of malware that presents itself as a very
useful software or file, but once downloaded, it
performs its malicious actions.
• It can be used to gain access to sensitive data and then
modify, block or delete the data.

• Spyware
– Is a type of malware that performs its malicious
actions secretly and reports back to a remote user.
• It is often used to steal financial or personal information.
 Malware
• Adware
– Is a type of malware that is used to collect data on
your computer usage and provide appropriate
advertisements to you.

– It forces unsolicited advertising on end users.

– Adware is a new category of malicious programs that
has become very popular.
• Adware is usually bundled with free software that is funded
by the advertisements displayed by the Adware program.
 Malware
• Backdoor
– Is malware that creates a covert (hidden/undercover)
access channel that the attacker can use for:
• connecting,
• controlling,
• spying,
• or otherwise interacting with the victim’s system.
– Backdoors can be embedded in actual programs that, when
executed, enable the attacker to connect to and to use the
system remotely.
– Backdoors may be planted into the source code by rogue
software developers before the product is released.
• This is more difficult to get away with if the program is open
source.
 Malware
• Ransomware
– Is malicious software that infects your computer and
displays messages demanding a fee to be paid in order
for your system to work again.

– It is a criminal moneymaking scheme that can be

installed through deceptive links in an email message,
instant message or website.
• It has the ability to lock a computer screen or encrypt
important, predetermined files with a password.
– More: https://www.youtube.com/watch?v=Vkjekr6jacg
Malware
 Malware
• Protection against malware:
– Careful with emails you receive.
• Emails is one of the most popular ways of spreading malware.
• Emails appearing to come form a bank, or a personal email
from a friend.
– Especially those that say "check out this cool website!" followed by a
link.
– Download and install software from trusted sources only
• Some might have malware with them – esp. act as trojan.
– Use of software tools like antivirus
• Windows 8/10 – comes with Windows Defender
• Android – Sophos, Avast, AVG
– For protection against ransomware
• You are advised to regularly backup your work
– This will avoid loss of weeks or months of work.
Intrusion Detection
 Intruders
• Who is an intruder?
– Is an entity that aims to compromise the security of a
computer/information system.
• Often referred to as a hacker or cracker.
• Can be outsider (mostly) or insider (rarely)
• Can target users or the system itself.

• NOTE:
– Need to use defense in depth approach in providing security.
 Classes of Intruders
• Below are the broad classes of intruders:
– Cyber criminals
– Activists
– State-sponsored organizations
– Others
 Classes of Intruders
• Below are the broad classes of intruders: Cont…
– Cyber criminals
• Are either individuals or members of an organized crime
group with a goal of financial reward.
• Their activities may include:
– Identity theft, theft of financial credentials, data theft, or data
ransoming.
• They are usually young, often Eastern European, Russian, or
southeast Asian hackers, who do business on the Web.
 Classes of Intruders
• Below are the broad classes of intruders: Cont…
– Activists
• Are either individuals, usually working as insiders, or
members of a larger group of outsider attackers, who are
motivated by social or political causes.
• They are also known as hacktivists, and their skill level is
often quite low.
• Their attack goals:
– Usually to promote and publicize their cause, typically through
website defacement, denial of service attacks, or the theft and
distribution of data that results in negative publicity or compromise
of their targets.
• Example: Edward Snowden
 Classes of Intruders
• Below are the broad classes of intruders: Cont…
– State-sponsored organizations
• Are groups of hackers sponsored by governments to conduct
espionage (spying/surveillance) or sabotage
(damage/interrupt) activities.
• They are also known as Advanced Persistent Threats (APTs),
due to the covert (secret/hidden) nature and persistence
over extended periods involved with many attacks in this
class.
– APT: An attacker gains unauthorized access to a system or network
and remains their for an extended period of time.
» Goal: Often is data theft.
– Example: USA work revealed by Edward Snowden
 Classes of Intruders
• Below are the broad classes of intruders: Cont…
– Others
• Are hackers with motivations other than those listed above,
including classic hackers or crackers who are motivated by
technical challenge or by peer-group esteem and reputation.
– Given the wide availability of attack toolkits, there is a pool of
“hobby hackers” using them to explore system and network security,
who could potentially become recruits for the above classes.
 Intrusion Detection System (IDS)
• Security Incident
– Is an event in which an intruder gains or attempts to
gain unauthorized access to a system or a system
resource.
• Intrusion detection
– A service that monitors and analyzes system events for
the purpose of finding and providing real-time or near
real-time warning of attempts to access system
resources in an unauthorized manner.
• Intrusion Detection System (IDS)
– Is a system which offers the service described above
(Intrusion detection)
 Intrusion Detection System (IDS)
• IDS comprises three logical components:
– Sensors
– Analyzers
– User Interface
 Intrusion Detection System (IDS)
• IDS comprises three logical components: Cont…
– Sensors
• They are responsible for collecting data.
• Its input may be any part of a system that could contain
evidence of an intrusion.
• Types of input to a sensor includes network packets, log files,
and system call traces.
• Sensors collect and forward this information to the analyzer.
 Intrusion Detection System (IDS)
• IDS comprises three logical components: Cont…
– Analyzers
• It receive input from one or more sensors or from other
analyzers.
• It is responsible for determining if an intrusion has occurred.
• Its output is an indication that an intrusion has occurred.
– The output may include evidence supporting the conclusion that an
intrusion occurred.
• The analyzer may provide guidance about what actions to
take as a result of the intrusion.
• The sensor inputs may also be stored for future analysis and
review in a storage or database component.
 Intrusion Detection System (IDS)
• IDS comprises three logical components: Cont…
– User Interface
• This is the user Interface to an IDS.
• It enables a user to view output from the system or control
the behaviour of the system.
 Intrusion Detection System (IDS)
• Classification of IDSs:
– IDSs are often classified based on the source and type
of data analyzed, as:
• Host-based IDS (HIDS)
• Network-based IDS (NIDS)
• Distributed or hybrid IDS
 Intrusion Detection System (IDS)
• Classification of IDSs: Cont…
– Host-based IDS (HIDS)
• Monitors the characteristics of a single host and the events
occurring within that host for evidence of suspicious activity.
– Network-based IDS (NIDS)
• Monitors network traffic for particular network segments or
devices and analyzes network, transport, and application
protocols to identify suspicious activity.
– Distributed or hybrid IDS
• Combines information from a number of sensors, often both
host and network-based, in a central analyzer that is able to
better identify and respond to intrusion activity.
 Honeypots
• What are they?
– Are decoy (trap/snare) systems that are designed to
lure a potential attacker away from critical systems.
– They are designed to:
• Divert an attacker from accessing critical systems.
• Collect information about the attacker’s activity.
• Encourage the attacker to stay on the system long enough for
administrators to respond.
– NOTE:
• A Honeypot is a further component of intrusion detection
technology.
 Honeypots
• Honeypot classification: They are classified as
being either low or high interaction:
– Low interaction honeypot
• Consists of a software package that emulates particular IT
services or systems well enough to provide a realistic initial
interaction, but does not execute a full version of those
services or systems.
– High interaction honeypot
• Is a real system, with a full operating system, services and
applications, which are instrumented and deployed where
they can be accessed by attackers.
– This is a more realistic target that may occupy an attacker for an
extended period.
» However, it requires significantly more resources, and if
compromised could be used to initiate attacks on other systems.
END

END